By James Pooley, author of “Secrets: Managing Information Assets in the Age of Cyberespionage“
Most of us assume that corporate espionage and digital theft of trade secrets rarely occur outside of technology, retail, and finance. But as the recent hacking of the Houston Astros’ internal computer network — allegedly by St. Louis Cardinals employees — proves, every company in every industry is vulnerable.
As cybersecurity breaches become increasingly common, companies need to take steps to protect their information assets. If it can happen in baseball, it can happen anywhere.
Clearly, just hitting the ball well isn’t enough: Competition these days is all about information — who has it and who can get it. We’ll be hearing about stories like this more frequently as we expand our use of technology and hackers get more sophisticated.
Here are four questions to consider if you’re serious about protecting your company’s secrets from being hacked:
1. What information do you have that could give your competition an edge?
Don’t underestimate the value of your company’s information. Cyberhacking isn’t just a threat for big organizations with complicated technology. In the hands of the competition, a wide variety of information about your company’s products, processes, strategies, and client base can be used against you.
The Astros’ database contained private statistics, scouting reports, and information about players. Most companies collect and store similar data about their performance, strategies, customers, and employees. The competition would love to know all this, and sometimes people step over ethical and legal lines to get it. Remember, in order to protect your information assets, you must first know what you have.
2. What are you doing about your passwords?
In the Astros’ case, it appears that the hackers were able to access the team’s internal network simply by trying some passwords that had been used by a former manager of the Cardinals before he went to the Astros.
In our personal lives, we often reuse the same passwords because they’re hard to remember. But in business, you can’t afford that kind of convenience. Especially if you rely only on passwords to protect information, you need to change them frequently — and especially after key personnel leave your company. Use very ‘strong’ combinations of characters. And if possible, consider adding extra layers of protection, like call-back requirements or biometrics such as fingerprints.
3. What procedures are in place to prevent employees from taking valuable information with them when they leave?
When employees leave your company, you reclaim their keys, laptops, and ID cards — but do you worry about the knowledge they carry in their heads? Companies need to mitigate the risk from the “insider threat,” since most information is lost this way.
Even when you have the right contracts in place and have done all appropriate training, you should conduct a thorough exit interview, learning as much as you can about the employee’s next job and emphasizing the importance of your secret information and your determination to protect your rights.
4. Do you educate employees about your trade secrets?
Employees don’t naturally think about information security, and the Facebook generation in particular has been raised on the idea that sharing is good and information is free. Again, behavior that is generally acceptable in employees’ private lives can cause serious problems in a business context. That’s why employers must proactively educate their people about corporate hygiene.
Good training is the best (and most cost-effective) way to avoid problems and make sure employees stay within the bounds of what’s legal, ethical, and safe. The best training is continuous, careful, upbeat, and professional, and does not rely on threats. While stories of information breaches — like the Astros hacking scandal — provide good case studies, be sure to also highlight your company’s own initiatives, especially actions by individual employees, that may have helped avoid a problem.
As the Astros’ misfortune has demonstrated, no industry or organization can consider its information assets safe. While it is impossible to guard against all information leaks, companies do have the power to strongly mitigate the risk of being hacked. What steps does your organization need to take to plug holes in its defense system?
James Pooley is the author of “Secrets: Managing Information Assets in the Age of Cyberespionage“. He provides international strategic and management advice in patent and trade secret matters, performs pre-litigation investigation and analysis, acts as a neutral and special master, and consults on information security programs.
